开启辅助访问 切换到宽版

精易论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

用微信号发送消息登录论坛

新人指南 邀请好友注册 - 我关注人的新帖 教你赚取精币 - 每日签到


求职/招聘- 论坛接单- 开发者大厅

论坛版规 总版规 - 建议/投诉 - 应聘版主 - 精华帖总集 积分说明 - 禁言标准 - 有奖举报

查看: 3633|回复: 0
收起左侧

[其它] WIN7 X64 SSDT函数获得

[复制链接]
结帖率:53% (9/17)
发表于 2013-3-23 21:49:16 | 显示全部楼层 |阅读模式   广东省深圳市
曾经在网上看到一片文章,

在早期64位系统,内核函数开头地址的低四位一般是0,形如:xxxxxxxx`xxxxxxx0,这一特征在SSDT表中有很强大的引用,SSDT表在64位系统于32位系统有较大的差别。以下是在64位系统下的KeServiceDescriptorTable:
  1. <li>nt!KiSystemServiceStart+0x7:

  2. </li><li>fffff800`03cc7fe5 8bf8            mov     edi,eax ; copy system service
  3. number

  4. </li><li>kd> p

  5. </li><li>nt!KiSystemServiceStart+0x9:

  6. </li><li>fffff800`03cc7fe7 c1ef07          shr     edi,7   ; isolate service table
  7. number(SERVICE_TABLE_SHIFT)

  8. </li><li>kd> p

  9. </li><li>nt!KiSystemServiceStart+0xc:

  10. </li><li>fffff800`03cc7fea 83e720          and     edi,20h ;(SERVICE_TABLE_MASK)

  11. </li><li>kd> p

  12. </li><li>nt!KiSystemServiceStart+0xf:

  13. </li><li>fffff800`03cc7fed 25ff0f0000      and     eax,0FFFh ;(SERVICE_NUMBER_MASK
  14. )isolate service table offset 0fffh

  15. </li><li>kd> r

  16. </li><li>rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084

  17. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  18. </li><li>rip=fffff80003cc7fed rsp=fffff8800245dc20 rbp=fffff8800245dca0

  19. </li><li>r8=0000000000000001  r9=0000000000000001 r10=0000000000000084

  20. </li><li>r11=0000000000000206 r12=00000000772c4420 r13=0000000000000000

  21. </li><li>r14=00000000772c4400 r15=00000000772c4498

  22. </li><li>iopl=0         nv up ei pl zr na po nc

  23. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  24. efl=00000246

  25. </li><li>nt!KiSystemServiceStart+0xf:

  26. </li><li>fffff800`03cc7fed 25ff0f0000      and     eax,0FFFh

  27. </li><li>kd> p

  28. </li><li>nt!KiSystemServiceRepeat:

  29. </li><li>fffff800`03cc7ff2 4c8d1547782300  lea     r10,[nt!KeServiceDescriptorTable
  30. (fffff800`03eff840)]

  31. </li><li>kd> r

  32. </li><li>rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084

  33. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  34. </li><li>rip=fffff80003cc7ff2 rsp=fffff8800245dc20 rbp=fffff8800245dca0

  35. </li><li>r8=0000000000000001  r9=0000000000000001 r10=0000000000000084

  36. </li><li>r11=0000000000000206 r12=00000000772c4420 r13=0000000000000000

  37. </li><li>r14=00000000772c4400 r15=00000000772c4498

  38. </li><li>iopl=0         nv up ei pl nz na pe nc

  39. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  40. efl=00000202

  41. </li><li>nt!KiSystemServiceRepeat:

  42. </li><li>fffff800`03cc7ff2 4c8d1547782300  lea     r10,[nt!KeServiceDescriptorTable
  43. (fffff800`03eff840)]

  44. </li><li>kd> p

  45. </li><li>nt!KiSystemServiceRepeat+0x7:

  46. </li><li>fffff800`03cc7ff9 4c8d1d80782300  lea  
  47.    r11,[nt!KeServiceDescriptorTableShadow (fffff800`03eff880)]

  48. </li><li>kd> p

  49. </li><li>nt!KiSystemServiceRepeat+0xe:

  50. </li><li>fffff800`03cc8000 f7830001000080000000 test dword ptr [rbx+100h],80h

  51. </li><li>kd> r

  52. </li><li>rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084

  53. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  54. </li><li>rip=fffff80003cc8000 rsp=fffff8800245dc20 rbp=fffff8800245dca0

  55. </li><li>r8=0000000000000001  r9=0000000000000001 r10=fffff80003eff840

  56. </li><li>r11=fffff80003eff880 r12=00000000772c4420 r13=0000000000000000

  57. </li><li>r14=00000000772c4400 r15=00000000772c4498

  58. </li><li>iopl=0         nv up ei pl nz na pe nc

  59. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  60. efl=00000202

  61. </li><li>nt!KiSystemServiceRepeat+0xe:

  62. </li><li>fffff800`03cc8000 f7830001000080000000 test dword ptr [rbx+100h],80h
  63. ds:002b:fffffa80`0edc0200=00000060

  64. </li><li>kd> db fffff800`03eff840

  65. </li><li>fffff800`03eff840  00 9b cc 03 00 f8 ff ff-00 00 00 00 00 00 00
  66. 00  ................

  67. </li><li>fffff800`03eff850  91 01 00 00 00 00 00 00-8c a7 cc 03 00 f8 ff
  68. ff  ................

  69. </li><li>fffff800`03eff860  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
  70. 00  ................

  71. </li><li>fffff800`03eff870  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
  72. 00  ................

  73. </li><li>fffff800`03eff880  00 9b cc 03 00 f8 ff ff-00 00 00 00 00 00 00
  74. 00  ................

  75. </li><li>fffff800`03eff890  91 01 00 00 00 00 00 00-8c a7 cc 03 00 f8 ff
  76. ff  ................

  77. </li><li>fffff800`03eff8a0  00 1c 0e 00 60 f9 ff ff-00 00 00 00 00 00 00
  78. 00  ....`...........

  79. </li><li>fffff800`03eff8b0  3b 03 00 00 00 00 00 00-1c 39 0e 00 60 f9 ff
  80. ff  ;........9..`...

  81. </li><li>kd> p

  82. </li><li>nt!KiSystemServiceRepeat+0x18:

  83. </li><li>fffff800`03cc800a 4d0f45d3        cmovne  r10,r11

  84. </li><li>kd> p

  85. </li><li>nt!KiSystemServiceRepeat+0x1c:

  86. </li><li>fffff800`03cc800e 423b441710      cmp     eax,dword ptr [rdi+r10+10h] ;check
  87. if valid service

  88. </li><li>kd> r

  89. </li><li>rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084

  90. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  91. </li><li>rip=fffff80003cc800e rsp=fffff8800245dc20 rbp=fffff8800245dca0

  92. </li><li>r8=0000000000000001  r9=0000000000000001 r10=fffff80003eff840

  93. </li><li>r11=fffff80003eff880 r12=00000000772c4420 r13=0000000000000000

  94. </li><li>r14=00000000772c4400 r15=00000000772c4498

  95. </li><li>iopl=0         nv up ei pl zr na po nc

  96. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  97. efl=00000246

  98. </li><li>nt!KiSystemServiceRepeat+0x1c:

  99. </li><li>fffff800`03cc800e 423b441710      cmp     eax,dword ptr [rdi+r10+10h]
  100. ds:002b:fffff800`03eff850=00000191

  101. </li><li>kd> p

  102. </li><li>nt!KiSystemServiceRepeat+0x21:

  103. </li><li>fffff800`03cc8013 0f83e9020000    jae     nt!KiSystemServiceExit+0x1a7
  104. (fffff800`03cc8302)

  105. </li><li>kd> p

  106. </li><li>nt!KiSystemServiceRepeat+0x27:

  107. </li><li>fffff800`03cc8019 4e8b1417        mov     r10,qword ptr [rdi+r10] ;table
  108. base

  109. </li><li>kd> p

  110. </li><li>nt!KiSystemServiceRepeat+0x2b:

  111. </li><li>fffff800`03cc801d 4d631c82        movsxd  r11,dword ptr [r10+rax*4] ; get
  112. system service offset

  113. </li><li>kd> r

  114. </li><li>rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084

  115. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  116. </li><li>rip=fffff80003cc801d rsp=fffff8800245dc20 rbp=fffff8800245dca0

  117. </li><li>r8=0000000000000001  r9=0000000000000001 r10=fffff80003cc9b00

  118. </li><li>r11=fffff80003eff880 r12=00000000772c4420 r13=0000000000000000

  119. </li><li>r14=00000000772c4400 r15=00000000772c4498

  120. </li><li>iopl=0         nv up ei ng nz na pe cy

  121. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  122. efl=00000283

  123. </li><li>nt!KiSystemServiceRepeat+0x2b:

  124. </li><li>fffff800`03cc801d 4d631c82        movsxd  r11,dword ptr [r10+rax*4]
  125. ds:002b:fffff800`03cc9fe0=000f3080

  126. </li><li>kd> p

  127. </li><li>nt!KiSystemServiceRepeat+0x2f:

  128. </li><li>fffff800`03cc8021 498bc3          mov     rax,r11 ; system service
  129. offset

  130. </li><li>kd> r

  131. </li><li>rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084

  132. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  133. </li><li>rip=fffff80003cc8021 rsp=fffff8800245dc20 rbp=fffff8800245dca0

  134. </li><li>r8=0000000000000001  r9=0000000000000001 r10=fffff80003cc9b00

  135. </li><li>r11=00000000000f3080 r12=00000000772c4420 r13=0000000000000000

  136. </li><li>r14=00000000772c4400 r15=00000000772c4498

  137. </li><li>iopl=0         nv up ei ng nz na pe cy

  138. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  139. efl=00000283

  140. </li><li>nt!KiSystemServiceRepeat+0x2f:

  141. </li><li>fffff800`03cc8021 498bc3          mov     rax,r11

  142. </li><li>kd> p

  143. </li><li>nt!KiSystemServiceRepeat+0x32:

  144. </li><li>fffff800`03cc8024 49c1fb04        sar     r11,4 ;关键所在 ,还得再右移4位

  145. </li><li>kd> p

  146. </li><li>nt!KiSystemServiceRepeat+0x36:

  147. </li><li>fffff800`03cc8028 4d03d3          add     r10,r11 ;; add table base to
  148. 获得真正的函数地址

  149. </li><li>kd> r

  150. </li><li>rax=00000000000f3080 rbx=fffffa800edc0100 rcx=0000000000000084

  151. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  152. </li><li>rip=fffff80003cc8028 rsp=fffff8800245dc20 rbp=fffff8800245dca0

  153. </li><li>r8=0000000000000001  r9=0000000000000001 r10=fffff80003cc9b00

  154. </li><li>r11=000000000000f308 r12=00000000772c4420 r13=0000000000000000

  155. </li><li>r14=00000000772c4400 r15=00000000772c4498

  156. </li><li>iopl=0         nv up ei pl nz na pe nc

  157. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  158. efl=00000202

  159. </li><li>nt!KiSystemServiceRepeat+0x36:

  160. </li><li>fffff800`03cc8028 4d03d3          add     r10,r11

  161. </li><li>kd> p

  162. </li><li>nt!KiSystemServiceRepeat+0x39:

  163. </li><li>fffff800`03cc802b 83ff20          cmp     edi,20h

  164. </li><li>kd> r

  165. </li><li>rax=00000000000f3080 rbx=fffffa800edc0100 rcx=0000000000000084

  166. </li><li>rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000

  167. </li><li>rip=fffff80003cc802b rsp=fffff8800245dc20 rbp=fffff8800245dca0

  168. </li><li>r8=0000000000000001  r9=0000000000000001 r10=fffff80003cd8e08

  169. </li><li>r11=000000000000f308 r12=00000000772c4420 r13=0000000000000000

  170. </li><li>r14=00000000772c4400 r15=00000000772c4498

  171. </li><li>iopl=0         nv up ei ng nz na pe nc

  172. </li><li>cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            
  173. efl=00000282

  174. </li><li>nt!KiSystemServiceRepeat+0x39:

  175. </li><li>fffff800`03cc802b 83ff20          cmp     edi,20h

  176. </li><li>kd> u fffff80003cd8e08

  177. </li><li>nt!NtReleaseWorkerFactoryWorker:

  178. </li><li>fffff800`03cd8e08 4c8bdc          mov     r11,rsp

  179. </li><li>fffff800`03cd8e0b 49895b08        mov     qword ptr [r11+8],rbx

  180. </li><li>fffff800`03cd8e0f 49896b18        mov     qword ptr [r11+18h],rbp

  181. </li><li>fffff800`03cd8e13 49897320        mov     qword ptr [r11+20h],rsi

  182. </li><li>fffff800`03cd8e17 57              push    rdi

  183. </li><li>fffff800`03cd8e18 4154            push    r12

  184. </li><li>fffff800`03cd8e1a 4155            push    r13

  185. </li><li>fffff800`03cd8e1c 4883ec60        sub     rsp,60h

  186. </li><li>kd> p

  187. </li><li>nt!KiSystemServiceRepeat+0x3c:

  188. </li><li>fffff800`03cc802e 7550            jne  
  189.    nt!KiSystemServiceGdiTebAccess+0x49 (fffff800`03cc8080)

  190. </li><li>kd> p

  191. </li><li>nt!KiSystemServiceGdiTebAccess+0x49:

  192. </li><li>fffff800`03cc8080 83e00f          and     eax,0Fh

  193. </li><li>kd> p

  194. </li><li>nt!KiSystemServiceGdiTebAccess+0x4c:

  195. </li><li>fffff800`03cc8083 0f84b7000000    je      nt!KiSystemServiceCopyEnd
  196. (fffff800`03cc8140)

  197. </li><li>kd> p

  198. </li><li>nt!KiSystemServiceCopyEnd:

  199. </li><li>fffff800`03cc8140 f705fee4180040000000 test dword ptr
  200. [nt!PerfGlobalGroupMask+0x8 (fffff800`03e56648)],40h

  201. </li><li>kd> p

  202. </li><li>nt!KiSystemServiceCopyEnd+0xa:

  203. </li><li>fffff800`03cc814a 0f8550020000    jne     nt!KiSystemServiceExit+0x245
  204. (fffff800`03cc83a0)

  205. </li><li>kd> p

  206. </li><li>nt!KiSystemServiceCopyEnd+0x10:

  207. </li><li>fffff800`03cc8150 41ffd2          call    r10 ; ; call system
  208. service</li>
复制代码
所以WIN7 X64下应该是:
  • FuncAddr=([KeServiceDescriptortable+index*4] >>4 +KeServiceDescriptortable)&0xFFFFFFF0.




而且和以前不同的是原来是从ETHREAD里取TABLE 地址,但现在通过 lea     r10,[nt!KeServiceDescriptorTable (fffff800`03eff840)]
,扑灭了ROOTKITER们的最后一线HOOK 希望。
您需要登录后才可以回帖 登录 | 注册

本版积分规则 致发广告者

发布主题 收藏帖子 返回列表

sitemap| 易语言源码| 易语言教程| 易语言论坛| 易语言模块| 手机版| 广告投放| 精易论坛
拒绝任何人以任何形式在本论坛发表与中华人民共和国法律相抵触的言论,本站内容均为会员发表,并不代表精易立场!
论坛帖子内容仅用于技术交流学习和研究的目的,严禁用于非法目的,否则造成一切后果自负!如帖子内容侵害到你的权益,请联系我们!
防范网络诈骗,远离网络犯罪 违法和不良信息举报电话0663-3422125,QQ: 793400750,邮箱:wp@125.la
网站简介:精易论坛成立于2009年,是一个程序设计学习交流技术论坛,隶属于揭阳市揭东区精易科技有限公司所有。
Powered by Discuz! X3.4 揭阳市揭东区精易科技有限公司 ( 粤ICP备12094385号-1) 粤公网安备 44522102000125 增值电信业务经营许可证 粤B2-20192173

快速回复 返回顶部 返回列表